Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Compare the time for the execution
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Compare the time for the execution
Hello Champions,
I come across a very complex logic to tag jobs on its start time.
We have one calculated value, it can be Weekly or Daily based on Job Run start time.
Weekly= If the Job Start time is Saturday 4AM to Monday 6:PM
Daily = for remaining days in week.
If its date comparison we can easily do that. we can have cascaded if then else to check days and then time. Is there any smart way to do that ?
Thanks
Praveen
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the field name is job_start_date and it's value is string. try like this
your base search | eval job_start_epoch=strptime(job_start_date,"%d/%m/%y %H:%M:%S") | eval dayOfWeek=lower(strftime(job_start_epoch,"%a")) | eval hour=tonumber(strftime(job_start_epoch,"%H") )
eval Type=if(dayOfWeek="sun" OR (dayOfWeek="sat" AND hour>=4) OR (dayOfWeek="mon" AND hour<=16 ),"Weekly","Daily"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming this is a scheduled job that runs at different time, try add this to your search. If job start time is a field in you data, you can replace the now() with strptime of field
your base search | eval tag=if(now()>relative_time(now(), "@w6+4h") AND now()<relative_time(now(), "@w1+6h"), "Weekly", "Daily")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the answer should be
Convert the number of week and time in 24 hour. Combine them %w%H
if its more then 604(Saturday04AM) and less then 218(Monday6PM) then its weekly.
Else its daily
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the format of field job start time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@samesoni2
%d/%m/%y %H:%M:%s
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
